I have some java code which allows users to reset their passwords stored on a LDAP server. The code runs as part of a web application running on Glassfish.
The problem I'm seeing is that after calling the change password operation, the user can subsequently use either password to access the application.
I have a unit test which runs directly against the LDAP server and I can verify that the password did indeed change and the user cannot gain access using the old password. The problem is not on the LDAP server.
What I've noticed is that if I restart Glassfish after the password change operation, only the new password is valid (as expected). I'm guessing that Glassfish is caching the credentials somewhere.
What do I need to set in Glassfish (or maybe in my web.xml) to either
- tell Glassfish not to cache the LDAP credentials
- reset the Glassfish password cache
Thanks in advance....
UPDATE Still having this problem. I also thought that the browser could be storing this information, but that doesn't seem to be the case. I close out of my browser session and both passwords still work in the new session - even with different types of browsers. BTW - I don't know if it matters or not, but this is HTTP basic authentication.
UPDATE We are also using the single sign on functionality included with Glassfish. From this article, it looks as if the session is tied to a cookie on the browser and maybe the user would be valid until the cookie expired? It looks as if the cookie is tied to a session. Getting closer to figuring this out....